HTTP Security Headers Category

Referrer-Policy HTTP Header Referer is a request header that is confusing on multiple levels. First of all ‘referer’ is misspelt. (The correct spelling is ‘referrer’.) Even though this is an amusing fun fact, it also shows just how hard it is to even correct a simple mistake such as a missing ‘r’ in an HTTP […]

Expect-CT HTTP Header The header that will eventually replace HPKP is called Expect-CT. Even though HPKP was a useful security feature, it by far wasn’t the only way to detect certificates issued by rogue CAs or to prevent them from doing so. With security mechanisms such as Certificate Authority Authorization (CAA) and Certificate Transparency, we can still be

HTTP Public Key Pinning In order to understand HTTP Public Key Pinning (HPKP), let’s take a look at how browsers implement the SSL handshake, which is conducted before establishing a secure connection. When our users try to access our site securely, we send them our public key that both affirms that they are talking to

HTTP Strict Transport Security As the name suggests, HSTS is a mechanism that forces browsers to use a secure web connection. In fact, we can call HSTS the ‘missing link’ in the secure web connection chain. Why? With end-to-end encryption, SSL lays the foundation for a secure and authorized connection. In an ideal SSL implementation,

Content Security Policy Introduced in November 2012, Content Security Policy presents an extra layer of security against multiple vulnerabilities such as XSS, Clickjacking, Protocol Downgrading and Frame Injection. It appears that CSP will become the most significant tool for client side security in the near future, since it provides a substitute for security headers, such

X-Download-Options The X-Download-Options header can be used download the requested data instead of viewing it in the browser. The X-Download Options header is available in browsers such as Internet Explorer 8 and above. Therefore it is like an in-depth defense mechanism that is especially suited for applications that allow users to upload content. Below is an example

X-Content-Type-Options This HTTP header is typically used to control the MIME Type Sniffing function in web browsers. MIME Type Sniffing is a content evaluation function used by browsers when the content type is not specified. Basically, if the Content-Type header is blank or missing, the browser ‘sniffs’ the content and attempts to display the source in the

X-XSS-Protection X-XSS-Protection allows developers to change the behavior of the Reflected XSS (Cross-Site Scripting) security filters. These filters aim to detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts. What Can Malicious Attackers Do When Exploiting a Reflected XSS Vulnerability? Reflected XSS is a vulnerability that arises from the evaluation

X-Frame-Options The X-Frame-Options Header is a security header suggested by Microsoft to avoid the UI Redressing attacks that began with Clickjacking in 2009. It’s supported by all major browsers. UI Redressing attacks are based on loading web pages inside an iframe and overlaying them with other UI elements. There are various types of UI Redressing,

Introduction This whitepaper explains how HTTP headers can be used in relation to web application security. It highlights the most commonly used HTTP headers and explains how each of them works in technical detail. Headers are part of the HTTP specification, defining the metadata of the message in both the HTTP request and response. While